{"version":1,"pages":[{"id":"gDoUcCEJCjImbd3Ntq06","title":"Home - Practical CTF","pathname":"/","siteSpaceId":"sitesp_GLTxV","emoji":"1f6a9","description":"A big collection of my notes for Capture The Flag (CTF) challenges and Hacking Techniques"},{"id":"qMYmm6EsrpvctcgZ5Vp4","title":"Enumeration","pathname":"/web/enumeration","siteSpaceId":"sitesp_GLTxV","description":"Find all content and functionality on a website, to get an idea of the attack surface. Often through fuzzing","breadcrumbs":[{"label":"Web","emoji":"1f310"}]},{"id":"qsXkrEWldGLwFfsJtxJy","title":"Finding Hosts & Domains","pathname":"/web/enumeration/finding-hosts-and-domains","siteSpaceId":"sitesp_GLTxV","description":"Find domain names and hosts relating to a company","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Enumeration"}]},{"id":"O7IlvtK4Oe8uUkQI5yKJ","title":"Masscan","pathname":"/web/enumeration/masscan","siteSpaceId":"sitesp_GLTxV","description":"Use masscan to asynchronously scan for open ports at incredible speeds, then later analyze the results with other tools","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Enumeration"}]},{"id":"6AfOehN5uZbCfcvED8MO","title":"Nmap","pathname":"/web/enumeration/nmap","siteSpaceId":"sitesp_GLTxV","description":"Network scanning tool with enumeration script to get detailed information about TCP/UDP ports, and the underlying system","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Enumeration"}]},{"id":"zJJqbLeOIXa4NOFnoXGy","title":"OSINT","pathname":"/web/enumeration/osint","siteSpaceId":"sitesp_GLTxV","description":"Open Source INTelligence: Abusing public information","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Enumeration"}]},{"id":"IjMmbRIWzLcm8yH9RVAT","title":"Client-Side","pathname":"/web/client-side","siteSpaceId":"sitesp_GLTxV","description":"Attacks on the browser, often involving the victim landing on an attacker's site","breadcrumbs":[{"label":"Web","emoji":"1f310"}]},{"id":"nuWbpokKOs8Usfj67ig7","title":"Cross-Site Scripting (XSS)","pathname":"/web/client-side/cross-site-scripting-xss","siteSpaceId":"sitesp_GLTxV","description":"Inject JavaScript code on victims to perform actions on their behalf","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"TPP9qH7lQ74LNCeeuTZr","title":"HTML Injection","pathname":"/web/client-side/cross-site-scripting-xss/html-injection","siteSpaceId":"sitesp_GLTxV","description":"Tricks possible with malicious HTML, in case XSS is not quite possible","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"},{"label":"Cross-Site Scripting (XSS)"}]},{"id":"VWzKtXk8syAguhuJ1sNB","title":"Content-Security-Policy (CSP)","pathname":"/web/client-side/cross-site-scripting-xss/content-security-policy-csp","siteSpaceId":"sitesp_GLTxV","description":"The CSP response header restricts what resources are allowed to execute, but can sometimes be bypassed","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"},{"label":"Cross-Site Scripting (XSS)"}]},{"id":"BPqAjXuzn7BmE0rGBTC3","title":"postMessage Exploitation","pathname":"/web/client-side/cross-site-scripting-xss/postmessage-exploitation","siteSpaceId":"sitesp_GLTxV","description":"Send cross-origin messages with arbitrary data, which can easily lead to Cross-Site Scripting in vulnerable handler that fail to verify the origin","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"},{"label":"Cross-Site Scripting (XSS)"}]},{"id":"WMvDdA4lwRxUcgIoBSLf","title":"CSS Injection","pathname":"/web/client-side/css-injection","siteSpaceId":"sitesp_GLTxV","description":"Injecting CSS code to leak content on a page using selectors","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"2ApDESbcGovoAqTtL1PY","title":"Cross-Site Request Forgery (CSRF)","pathname":"/web/client-side/cross-site-request-forgery-csrf","siteSpaceId":"sitesp_GLTxV","description":"Submitting data-altering requests blindly from your domain on the client-side. Cookies are automatically sent, often requiring CSRF tokens as protection","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"2sxs7D5jfxUwLdwDjBKw","title":"XS-Leaks","pathname":"/web/client-side/xs-leaks","siteSpaceId":"sitesp_GLTxV","description":"Leaking information cross-site often through private search features","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"DF2UsOHoFPeeSMJ4dzF9","title":"Client-Side Path Traversal (CSPT)","pathname":"/web/client-side/client-side-path-traversal-cspt","siteSpaceId":"sitesp_GLTxV","description":"Using ../ sequences and URL parts to rewrite requests made by the browser","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"Uj2L0xnLNIV3yb0d9YH1","title":"CRLF / Header Injection","pathname":"/web/client-side/crlf-header-injection","siteSpaceId":"sitesp_GLTxV","description":"Manipulate HTTP headers in your favor or insert completely new ones with even more control","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"4u4lNAap2NX1MmG8nbIx","title":"Window Popup Tricks","pathname":"/web/client-side/window-popup-tricks","siteSpaceId":"sitesp_GLTxV","description":"Abusing browser functionality to do interesting things with popups and interactions","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"f53C213bYkcedUMbzRcZ","title":"WebSockets","pathname":"/web/client-side/websockets","siteSpaceId":"sitesp_GLTxV","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"JTZRBTftLi1y2cugkCon","title":"Caching","pathname":"/web/client-side/caching","siteSpaceId":"sitesp_GLTxV","description":"Remember static content to resolve less requests by the backend","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"ovKhH3sNdrcwkXriGJzR","title":"Headless Browsers","pathname":"/web/client-side/headless-browsers","siteSpaceId":"sitesp_GLTxV","description":"Tricks for dealing with input into headless browsers on the server, using client-side methods","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Client-Side"}]},{"id":"g333lLnA5NgMsa2DfYSl","title":"Server-Side","pathname":"/web/server-side","siteSpaceId":"sitesp_GLTxV","description":"Attacks that have impact on the server, often by abusing dangerous functionality","breadcrumbs":[{"label":"Web","emoji":"1f310"}]},{"id":"oUqBdDm20QorTrksR49f","title":"SQL Injection","pathname":"/web/server-side/sql-injection","siteSpaceId":"sitesp_GLTxV","description":"An infamous and simple attack where code is injected where data should be, rewriting the SQL Query","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"bOp0XRwSs5dJRMSAqexX","title":"NoSQL Injection","pathname":"/web/server-side/nosql-injection","siteSpaceId":"sitesp_GLTxV","description":"NoSQL databases are a type of database where objects are used instead of SQL strings. MongoDB is common but more are vulnerable","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"32ATLC8R0j6RSUDokcnQ","title":"GraphQL","pathname":"/web/server-side/graphql","siteSpaceId":"sitesp_GLTxV","description":"Query structured data through an API and perform mutations with authorization","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"sQr2K5LM1BB8ZR4AbNvo","title":"XML External Entities (XXE)","pathname":"/web/server-side/xml-external-entities-xxe","siteSpaceId":"sitesp_GLTxV","description":"Injecting Entities into XML data to read local files and exfiltrate data","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"WYl34yVALPEclx2Xk5T4","title":"HTTP Request Smuggling","pathname":"/web/server-side/http-request-smuggling","siteSpaceId":"sitesp_GLTxV","description":"Parsing of Content-Length and Transfer-Encoding headers leads to messing with boundaries of requests","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"7kkeuoIi3TSFGrru8hRY","title":"Local File Disclosure","pathname":"/web/server-side/local-file-disclosure","siteSpaceId":"sitesp_GLTxV","description":"Gain information by reading files on a web server, also known as Local File Inclusion (LFI)","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"VFPEL1ZFZwCN9EKFUt9u","title":"Arbitrary File Write","pathname":"/web/server-side/arbitrary-file-write","siteSpaceId":"sitesp_GLTxV","description":"Being able to create or overwrite files on a server, often causing Remote Code Execution (RCE)","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"3EscTKnlrhX6a6bfhplc","title":"Reverse Proxies","pathname":"/web/server-side/reverse-proxies","siteSpaceId":"sitesp_GLTxV","description":"Servers on top of web applications that route traffic, manage headers and more","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"9iGvpSgXUL3H2G0HCEW2","title":"ImageMagick","pathname":"/web/server-side/imagemagick","siteSpaceId":"sitesp_GLTxV","description":"A tool/library for converting and editing images of many formats, with some older versions having known vulnerabilities","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Server-Side"}]},{"id":"Wj89Qt9pih1bwtFwQOaf","title":"Frameworks","pathname":"/web/frameworks","siteSpaceId":"sitesp_GLTxV","description":"Libraries for specific programming languages that make development easier, with their own quirks","breadcrumbs":[{"label":"Web","emoji":"1f310"}]},{"id":"t7dnhjOQj6tNcUgbmrkZ","title":"Flask","pathname":"/web/frameworks/flask","siteSpaceId":"sitesp_GLTxV","description":"A Python library working with Werkzeug and Jinja2","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Frameworks"}]},{"id":"tHgxOOXELPlQDBq0yIVG","title":"Ruby on Rails","pathname":"/web/frameworks/ruby-on-rails","siteSpaceId":"sitesp_GLTxV","description":"A common web framework for the Ruby Programming Language","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Frameworks"}]},{"id":"XfjcRyMBT5IyybyZWd2i","title":"NodeJS","pathname":"/web/frameworks/nodejs","siteSpaceId":"sitesp_GLTxV","description":"The backend for running JavaScript as a server or application","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Frameworks"}]},{"id":"XSUqRrBzV73SMIOxs3i3","title":"Bun","pathname":"/web/frameworks/bun","siteSpaceId":"sitesp_GLTxV","description":"An alternative JavaScript runtime with unique libraries and quirks","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Frameworks"}]},{"id":"pPX8USF0xhLegHxwNR1Y","title":"WordPress","pathname":"/web/frameworks/wordpress","siteSpaceId":"sitesp_GLTxV","description":"A popular Content Management System (CMS) for static content, with a visual UI","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Frameworks"}]},{"id":"DdeWvWpOxBTFDSpQAJsL","title":"Angular","pathname":"/web/frameworks/angular","siteSpaceId":"sitesp_GLTxV","description":"Frontend framework with template-like syntax","breadcrumbs":[{"label":"Web","emoji":"1f310"},{"label":"Frameworks"}]},{"id":"VNLn3aUa61FefkfpRFZ8","title":"Encodings","pathname":"/cryptography/encodings","siteSpaceId":"sitesp_GLTxV","description":"","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"8i4dym4rvflEsvCwlhft","title":"Ciphers","pathname":"/cryptography/ciphers","siteSpaceId":"sitesp_GLTxV","description":"Ways to encrypt text. Often methods used a long time ago to send secret messages","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"XljlG0yRDuFrdd6U0lTm","title":"AES","pathname":"/cryptography/aes","siteSpaceId":"sitesp_GLTxV","description":"The Advanced Encryption Standard is a common symmetric encryption standard with a few different modes of operation","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"15QGQyuGEqWhYucrvYMs","title":"Asymmetric Encryption","pathname":"/cryptography/asymmetric-encryption","siteSpaceId":"sitesp_GLTxV","description":"Using Public and Private keys to securely transmit data in a way that only the recipients can decrypt it","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"uTnCBhWNd4JUUWbfJe3g","title":"RSA","pathname":"/cryptography/asymmetric-encryption/rsa","siteSpaceId":"sitesp_GLTxV","description":"An encryption standard using prime number factorization to encrypt and decrypt with an asymmetric keypair","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Asymmetric Encryption"}]},{"id":"TtFRaBmoV4V7rgbbceDx","title":"Diffie-Hellman","pathname":"/cryptography/asymmetric-encryption/diffie-hellman","siteSpaceId":"sitesp_GLTxV","description":"The Diffie-Hellman Key Exchange uses asymmetric encryption to set up a shared secret for symmetric encryption","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Asymmetric Encryption"}]},{"id":"qSC1f9dXtWIsuAegNZmU","title":"PGP / GPG","pathname":"/cryptography/asymmetric-encryption/pgp-gpg","siteSpaceId":"sitesp_GLTxV","description":"The \"Pretty Good Privacy\" asymmetric encryption scheme used in email and sending encrypted or signed messages","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Asymmetric Encryption"}]},{"id":"EGdCtJyflWEj9chxQQFk","title":"Pseudo-Random Number Generators (PRNG)","pathname":"/cryptography/pseudo-random-number-generators-prng","siteSpaceId":"sitesp_GLTxV","description":"Often the default random function in whatever language is not cryptographically secure, making it possible to predict values","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"KaKPzHO8nKOHwAiMYE4l","title":"Hashing","pathname":"/cryptography/hashing","siteSpaceId":"sitesp_GLTxV","description":"One-way functions that generate a unique hash of some data","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"O8qJJ4F6O6m8Kozm0ZvF","title":"Cracking Hashes","pathname":"/cryptography/hashing/cracking-hashes","siteSpaceId":"sitesp_GLTxV","description":"The point of hashes are that you can't reverse them, but we can sometimes find the original text by brute-forcing","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Hashing"}]},{"id":"6ko2efKEtTsrwKoUhilt","title":"Cracking Signatures","pathname":"/cryptography/hashing/cracking-signatures","siteSpaceId":"sitesp_GLTxV","description":"Some examples of signature implementations (often HMAC) that can be cracked using hashcat","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Hashing"}]},{"id":"ZIy5OQVWtYR84VpOJjnn","title":"XOR","pathname":"/cryptography/xor","siteSpaceId":"sitesp_GLTxV","description":"An operation between bits used often in cryptography","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"VVdnK4UFvyXnTzFBPeHc","title":"Custom Ciphers","pathname":"/cryptography/custom-ciphers","siteSpaceId":"sitesp_GLTxV","description":"\"Never roll your own crypto\" is a saying for a reason. It's hard to make a secure cryptographic algorithm because there are many ways it may be broken","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"0ivfpeSEwA0njKX4GsES","title":"Z3 Solver","pathname":"/cryptography/custom-ciphers/z3-solver","siteSpaceId":"sitesp_GLTxV","description":"The Z3 Theorem Prover can automatically solve puzzles in Python","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Custom Ciphers"}]},{"id":"zB2MobwyOngAPPRNkChX","title":"Timing Attacks","pathname":"/cryptography/timing-attacks","siteSpaceId":"sitesp_GLTxV","description":"Using timing information to extract information","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"t2wMnsPSS2ztgT7wkghT","title":"Blockchain","pathname":"/cryptography/blockchain","siteSpaceId":"sitesp_GLTxV","description":"","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"}]},{"id":"5z2FboMp0bCNFRbW2BCv","title":"Smart Contracts","pathname":"/cryptography/blockchain/smart-contracts","siteSpaceId":"sitesp_GLTxV","description":"A few small bits about attacking Smart Contracts in Web3","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Blockchain"}]},{"id":"J3gUm5yaddlYOAzoG34w","title":"Bitcoin addresses","pathname":"/cryptography/blockchain/bitcoin-addresses","siteSpaceId":"sitesp_GLTxV","description":"A bit of information about Bitcoin addresses","breadcrumbs":[{"label":"Cryptography","emoji":"1f523"},{"label":"Blockchain"}]},{"id":"yEeJC4ZWnwAfQEUJEuqC","title":"Wireshark","pathname":"/forensics/wireshark","siteSpaceId":"sitesp_GLTxV","description":"A popular tool to analyze and extract data from network packet captures","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"hK73ikapQBGhnmhOBfeQ","title":"File Formats","pathname":"/forensics/file-formats","siteSpaceId":"sitesp_GLTxV","description":"What to do with a file you don't understand","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"GCAU8wkXuyH1MEwbIOgQ","title":"Archives","pathname":"/forensics/archives","siteSpaceId":"sitesp_GLTxV","description":"Different kinds of file archives, like ZIP, RAR or TAR","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"00O5kZucpeSaVDOPvpZU","title":"Memory Dumps (Volatility)","pathname":"/forensics/memory-dumps-volatility","siteSpaceId":"sitesp_GLTxV","description":"Big dump of the RAM on a system. Use tools like volatility to analyze the dumps and get information about what happened","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"WQi16zkVcUmLZPou4fyE","title":"VBA Macros","pathname":"/forensics/vba-macros","siteSpaceId":"sitesp_GLTxV","description":"Visual Basic for Applications is a programming language used to create macro scripts for Microsoft office apps","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"xV68ox8PncByDEkWvyWH","title":"Grep","pathname":"/forensics/grep","siteSpaceId":"sitesp_GLTxV","description":"Search for text inside of files","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"lluGrk1R15dzf5PZWTav","title":"Git","pathname":"/forensics/git","siteSpaceId":"sitesp_GLTxV","description":"A version control system often saving lots of information about how files were changes","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"s8DegPU9uYQFFXRdgXn6","title":"File Recovery","pathname":"/forensics/file-recovery","siteSpaceId":"sitesp_GLTxV","description":"Recovering content of deleted files","breadcrumbs":[{"label":"Forensics","emoji":"1f50e"}]},{"id":"uqyxOzq1NYc5nXspq5OQ","title":"Ghidra","pathname":"/reverse-engineering/ghidra","siteSpaceId":"sitesp_GLTxV","description":"A reverse engineering tool made by the NSA with a powerful decompiler","breadcrumbs":[{"label":"Reverse Engineering","emoji":"2699"}]},{"id":"WM5yTxdE9OVGTEfqm4IF","title":"Angr Solver","pathname":"/reverse-engineering/angr-solver","siteSpaceId":"sitesp_GLTxV","description":"A binary analysis tool in Python to automatically find paths to code","breadcrumbs":[{"label":"Reverse Engineering","emoji":"2699"}]},{"id":"jEQXZY0SPAaR6uHLmYyf","title":"Reversing C# - .NET / Unity","pathname":"/reverse-engineering/reversing-c-.net-unity","siteSpaceId":"sitesp_GLTxV","description":"Reverse Engineering executable files compiled with C# .NET (including Unity)","breadcrumbs":[{"label":"Reverse Engineering","emoji":"2699"}]},{"id":"VnZOy9AYpg14Pua2ywNp","title":"PowerShell","pathname":"/reverse-engineering/powershell","siteSpaceId":"sitesp_GLTxV","description":"Deobfuscate heavily-obfuscated PowerShell scripts to find their source code","breadcrumbs":[{"label":"Reverse Engineering","emoji":"2699"}]},{"id":"xFvmcFUzP5f8vR0EVjfp","title":"Reverse Engineering for Pwn","pathname":"/binary-exploitation/reverse-engineering-for-pwn","siteSpaceId":"sitesp_GLTxV","description":"Understand the binary and find vulnerabilities by analyzing it","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"vJMTNQTRKwHW2ZF8WXvM","title":"PwnTools","pathname":"/binary-exploitation/pwntools","siteSpaceId":"sitesp_GLTxV","description":"A Python library that helps in creating scripts for binary exploitation, doing many things automagically","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"lAYiNM4WC9YHT6rq91uP","title":"ret2win","pathname":"/binary-exploitation/ret2win","siteSpaceId":"sitesp_GLTxV","description":"Jump to a predefined function in the binary, even with arguments","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"Ro21rnz5yVtVNnpMt98s","title":"ret2libc","pathname":"/binary-exploitation/ret2libc","siteSpaceId":"sitesp_GLTxV","description":"Using a buffer overflow to call the libc system(\"/bin/sh\") function","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"DgxIvJn1bWOesmrqZ5cw","title":"Shellcode","pathname":"/binary-exploitation/shellcode","siteSpaceId":"sitesp_GLTxV","description":"Writing and debugging your own shellcode","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"zdr4vrZNywOfIgjsCb3J","title":"Stack Canaries","pathname":"/binary-exploitation/stack-canaries","siteSpaceId":"sitesp_GLTxV","description":"Two protections that use a secret unpredictable value to reduce exploitability in memory corruption. Learn how to bypass them in certain scenarios","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"pf9M9USaH0I91COGYmyW","title":"Return-Oriented Programming (ROP)","pathname":"/binary-exploitation/return-oriented-programming-rop","siteSpaceId":"sitesp_GLTxV","description":"Return-Oriented Programming is a common technique for exploiting buffer overflows by executing gadgets to do what you want","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"MbSAFP0tLsFpiOUHy01A","title":"SigReturn-Oriented Programming (SROP)","pathname":"/binary-exploitation/return-oriented-programming-rop/sigreturn-oriented-programming-srop","siteSpaceId":"sitesp_GLTxV","description":"A special technique in ROP to set all registers only using a syscall","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"},{"label":"Return-Oriented Programming (ROP)"}]},{"id":"yUo4yXKrFOMAaF7r3Q0I","title":"ret2dlresolve","pathname":"/binary-exploitation/return-oriented-programming-rop/ret2dlresolve","siteSpaceId":"sitesp_GLTxV","description":"A way to exploit buffer overflows using ROP when not many gadgets are available, and Full RELRO is disabled","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"},{"label":"Return-Oriented Programming (ROP)"}]},{"id":"LW1jLtLGWh9HusLVmQnV","title":"Sandboxes (chroot, seccomp & namespaces)","pathname":"/binary-exploitation/sandboxes-chroot-seccomp-and-namespaces","siteSpaceId":"sitesp_GLTxV","description":"Escaping from sandboxes environments by exploiting the capabilities that were left open","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"dhFItoKgh3ilDgAUlgEY","title":"Race Conditions","pathname":"/binary-exploitation/race-conditions","siteSpaceId":"sitesp_GLTxV","description":"Multiple processes running at the same time messing with each other or interrupting code with other code to create brief flawed states","breadcrumbs":[{"label":"Binary Exploitation","emoji":"1f4df"}]},{"id":"m5Ipio0yBg9a7mLyhyiB","title":"Setup","pathname":"/mobile/setup","siteSpaceId":"sitesp_GLTxV","description":"Setting up an Android testing environment","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"9Y9WWv0HxdQuKiXM7ZTa","title":"Reversing APKs","pathname":"/mobile/reversing-apks","siteSpaceId":"sitesp_GLTxV","description":"Decompiling and understanding unknown APKs, using dynamic and static testing","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"dy2CekF5IwqsYzaxu6hX","title":"Patching APKs","pathname":"/mobile/patching-apks","siteSpaceId":"sitesp_GLTxV","description":"After decompiling the code, you can change code and build the app again to patch the APK, and make it do different things","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"d4unAEjqCV25LYsCM23A","title":"HTTP(S) Proxy for Android","pathname":"/mobile/http-s-proxy-for-android","siteSpaceId":"sitesp_GLTxV","description":"Intercept traffic going from and to an emulated Android device with Burp Suite","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"r58IFFnzP8LifbifTubG","title":"Frida","pathname":"/mobile/frida","siteSpaceId":"sitesp_GLTxV","description":"A JavaScript tool to interact with running Android applications through code","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"pHfcJR9aE83vwjZHTne1","title":"Android Backup","pathname":"/mobile/android-backup","siteSpaceId":"sitesp_GLTxV","description":"Extracting information from an Android Backup (.ab) file","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"888zIO1qh3TZgJI2XSNu","title":"Compiling C for Android","pathname":"/mobile/compiling-c-for-android","siteSpaceId":"sitesp_GLTxV","description":"Compile and run C programs on Android to debug pieces of code","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"5VxL0KZcjrc6gp8LA2oL","title":"iOS","pathname":"/mobile/ios","siteSpaceId":"sitesp_GLTxV","description":"Reverse Engineering iOS applications in .app format","breadcrumbs":[{"label":"Mobile","emoji":"1f4f2"}]},{"id":"ERJKCwMimV2uMUUAR6hF","title":"Python","pathname":"/languages/python","siteSpaceId":"sitesp_GLTxV","description":"Some tricks specific to the Python language","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"LRsZdzzcQ7PahGUFDJCO","title":"JavaScript","pathname":"/languages/javascript","siteSpaceId":"sitesp_GLTxV","description":"A very popular language used to create interactivity on the web, and on the backend using NodeJS","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"XMih8LnYjI92yV4F4GLS","title":"Prototype Pollution","pathname":"/languages/javascript/prototype-pollution","siteSpaceId":"sitesp_GLTxV","description":"Exploit recursive property setting functions with special .__proto__ and .prototype options to add fallbacks to other property accesses","breadcrumbs":[{"label":"Languages","emoji":"1f30e"},{"label":"JavaScript"}]},{"id":"lPjv8cvNuNY7bn5d5aSO","title":"PHP","pathname":"/languages/php","siteSpaceId":"sitesp_GLTxV","description":"Some tricks specific to the PHP web programming language","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"hgrRuyw5uys2bpv5M0pz","title":"Java","pathname":"/languages/java","siteSpaceId":"sitesp_GLTxV","description":"An Object-Oriented programming language often used in enterprise environments","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"BfCvABBGH6OL75NId4M5","title":"C#","pathname":"/languages/c","siteSpaceId":"sitesp_GLTxV","description":"C Sharp and the .NET Framework","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"R59RXfDkKIyrOj4QzBc8","title":"Assembly","pathname":"/languages/assembly","siteSpaceId":"sitesp_GLTxV","description":"A few cheatsheet-like things about the Assembly language","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"hvg2NQSMRayZ86DY1hgp","title":"Markdown","pathname":"/languages/markdown","siteSpaceId":"sitesp_GLTxV","description":"Markdown is an easy to use markup language used in the Github README for example","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"8cGQuseDaqeRlYfQ2AiE","title":"LaTeX","pathname":"/languages/latex","siteSpaceId":"sitesp_GLTxV","description":"A powerful language for text markup and document generation, but dangerous for user input","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"weCOql6MxoH3TBMklwtD","title":"JSON","pathname":"/languages/json","siteSpaceId":"sitesp_GLTxV","description":"JSON is a widely used format to store structured data, with arrays and dictionary keys","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"cVXcA29rxdf5X1Ey8Xb2","title":"YAML","pathname":"/languages/yaml","siteSpaceId":"sitesp_GLTxV","description":"Yet Another Markup Language","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"1IH64ifM4FQHrJLcsAJ0","title":"CodeQL","pathname":"/languages/codeql","siteSpaceId":"sitesp_GLTxV","description":"A query language for repositories of code","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"6C1Jvenl9Wcc4LkE6vfD","title":"NASL (Nessus Plugins)","pathname":"/languages/nasl-nessus-plugins","siteSpaceId":"sitesp_GLTxV","description":"Nessus Attack Scripting Language for writing plugins","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"QPhqTqqMmFyK4DUF6Zl5","title":"Regular Expressions (RegEx)","pathname":"/languages/regular-expressions-regex","siteSpaceId":"sitesp_GLTxV","description":"Regular Expressions are a syntax for writing patterns to match for. Lot of symbols mean something allowing you to write complex rules in a very short string","breadcrumbs":[{"label":"Languages","emoji":"1f30e"}]},{"id":"PYICGm0N0wA9KZ7CU30n","title":"Modbus - TCP/502","pathname":"/networking/modbus-tcp-502","siteSpaceId":"sitesp_GLTxV","description":"A protocol for PLCs to store values in coils, inputs, and registers at addresses","breadcrumbs":[{"label":"Networking","emoji":"1f916"}]},{"id":"uRp9d8nCke1MkfgzvB1Y","title":"Redis/Valkey - TCP/6379","pathname":"/networking/redis-valkey-tcp-6379","siteSpaceId":"sitesp_GLTxV","description":"An in-memory data store often used to store small data like cache, sessions or queues","breadcrumbs":[{"label":"Networking","emoji":"1f916"}]},{"id":"cmHz61nzLejiKyYo6W0k","title":"Shells","pathname":"/linux/hacking-linux-boxes","siteSpaceId":"sitesp_GLTxV","description":"Specific tricks to get a shell for hacking Linux-based boxes","breadcrumbs":[{"label":"Linux","emoji":"1f427"}]},{"id":"p3yKPq7EMJPgMEHFGxXf","title":"Bash","pathname":"/linux/bash","siteSpaceId":"sitesp_GLTxV","description":"Useful commands/syntax and bash tricks","breadcrumbs":[{"label":"Linux","emoji":"1f427"}]},{"id":"Ld0wSQX5CWnu7o2KiNET","title":"Linux Privilege Escalation","pathname":"/linux/linux-privilege-escalation","siteSpaceId":"sitesp_GLTxV","description":"Go from a low-privilege user to a higher one to gain access to things you're not supposed to","breadcrumbs":[{"label":"Linux","emoji":"1f427"}]},{"id":"bL3KWDNVgLqGUBSxf3Ku","title":"Enumeration","pathname":"/linux/linux-privilege-escalation/enumeration","siteSpaceId":"sitesp_GLTxV","description":"Finding information about the target system find vulnerabilities to allow privilege escalation","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"ccn22x4jzXeXLi6Kq46M","title":"Networking","pathname":"/linux/linux-privilege-escalation/networking","siteSpaceId":"sitesp_GLTxV","description":"How to best communicate between you and everything on your target","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"m9rhVQ37ewa8ZS81Xaoz","title":"Command Triggers","pathname":"/linux/linux-privilege-escalation/command-triggers","siteSpaceId":"sitesp_GLTxV","description":"Finding commands that are / can be executed with elevated privileges","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"1PalxW04AZvrJKXVC09J","title":"Command Exploitation","pathname":"/linux/linux-privilege-escalation/command-exploitation","siteSpaceId":"sitesp_GLTxV","description":"Exploiting commands that are executed with elevated privileges to do more than you are supposed to","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"hL2p6FWiq5jlKA8YI6S1","title":"Outdated Versions","pathname":"/linux/linux-privilege-escalation/outdated-versions","siteSpaceId":"sitesp_GLTxV","description":"Some common services run with elevated privileges, and can be dangerous if set up incorrectly or are outdated","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"aER1UNnqfnwtqJNPezd1","title":"Network File Sharing (NFS)","pathname":"/linux/linux-privilege-escalation/network-file-sharing-nfs","siteSpaceId":"sitesp_GLTxV","description":"Sharing a fileserver over the network sometimes allows you to upload files as root and escalate privileges","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"66Un6LhavryuVmvOYHFj","title":"Docker","pathname":"/linux/linux-privilege-escalation/docker","siteSpaceId":"sitesp_GLTxV","description":"Use containers to run applications in a reproducible and isolated environment","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"xSLQi4BQ5ApFEzAwxMyL","title":"Filesystem Permissions","pathname":"/linux/linux-privilege-escalation/filesystem-permissions","siteSpaceId":"sitesp_GLTxV","description":"Wrong permissions on files may lead to someone doing what they should not be allowed to","breadcrumbs":[{"label":"Linux","emoji":"1f427"},{"label":"Linux Privilege Escalation"}]},{"id":"f9iUdwnlqYbvATCEmV1J","title":"Analyzing Processes","pathname":"/linux/analyzing-processes","siteSpaceId":"sitesp_GLTxV","description":"Find detailed information about other running processes using the /proc folder and other tricks","breadcrumbs":[{"label":"Linux","emoji":"1f427"}]},{"id":"F2brhJUNZbUZqKX3yfTw","title":"Scanning/Spraying","pathname":"/windows/scanning-spraying","siteSpaceId":"sitesp_GLTxV","description":"Finding your attack surface and testing credentials","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"6EH6on9p4LnuQBtHiSMo","title":"Exploitation","pathname":"/windows/exploitation","siteSpaceId":"sitesp_GLTxV","description":"When you find a vulnerability, Windows has some specific ways to exploit it that differ from Linux","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"Xxf64hhbQ2sbZ5oeFcuB","title":"Local Enumeration","pathname":"/windows/local-enumeration","siteSpaceId":"sitesp_GLTxV","description":"Get information about a compromised machine from the to find possible ways to escalate privileges","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"MvMBQbuQFap6prRzdegl","title":"Local Privilege Escalation","pathname":"/windows/local-privilege-escalation","siteSpaceId":"sitesp_GLTxV","description":"Escalate privileges on a local computer to become a more powerful user","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"6hak7rCxYiSNM1TivRRQ","title":"Windows Authentication","pathname":"/windows/windows-authentication","siteSpaceId":"sitesp_GLTxV","description":"Kerberos & NTLM","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"FMc1fpHTrxqKvmH5ijfi","title":"Kerberos","pathname":"/windows/windows-authentication/kerberos","siteSpaceId":"sitesp_GLTxV","description":"The newest Active Directory authentication protocol with less flaws than NetNTLM, but still some possible attacks","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"},{"label":"Windows Authentication"}]},{"id":"roDmR9GkWeziEbNvWxBg","title":"NTLM","pathname":"/windows/windows-authentication/ntlm","siteSpaceId":"sitesp_GLTxV","description":"A legacy authentication protocol for Active Directory with many flaws and dangers","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"},{"label":"Windows Authentication"}]},{"id":"m923iM4xC6mysr5ZRmcI","title":"Lateral Movement","pathname":"/windows/lateral-movement","siteSpaceId":"sitesp_GLTxV","description":"Moving between computers by re-using accounts to get more access","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"xHxxuoKdO27GCHD0pulB","title":"Active Directory Privilege Escalation","pathname":"/windows/active-directory-privilege-escalation","siteSpaceId":"sitesp_GLTxV","description":"Traverse the Active Directory permissions to escalate your privileges and access more","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"hAJdqxIRC5qVT7ZfI4TC","title":"Persistence","pathname":"/windows/persistence","siteSpaceId":"sitesp_GLTxV","description":"When a computer or even the entire domain is compromised, how do you keep it that way?                  (note: not normally required in a pentest)","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"85Xe5XJ4acBbCROLC4W8","title":"Antivirus Evasion","pathname":"/windows/antivirus-evasion","siteSpaceId":"sitesp_GLTxV","description":"Getting your payload and tools through antivirus protections by obfuscating them or disabling protections","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"slCOiYyGKqJpGK2RVLUb","title":"Metasploit","pathname":"/windows/metasploit","siteSpaceId":"sitesp_GLTxV","description":"Using existing exploits from the Metasploit Framework (MSF) to quickly take over machines and escalate privileges","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"7JvfjuR0UhnxoKu6AF0c","title":"Alternate Data Streams (ADS)","pathname":"/windows/alternate-data-streams-ads","siteSpaceId":"sitesp_GLTxV","description":"In a NTFS file system, files can have multiple streams with extra data","breadcrumbs":[{"label":"Windows","emoji":"1fa9f"}]},{"id":"iVLsBOiutSyyMuGwrSZx","title":"Kubernetes","pathname":"/cloud/kubernetes","siteSpaceId":"sitesp_GLTxV","description":"Container Orchestration for managing big scalable infrastructure of containerized applications","breadcrumbs":[{"label":"Cloud","emoji":"2601"}]},{"id":"KeYrkNU2Co0HR03JZhVP","title":"Microsoft Azure","pathname":"/cloud/microsoft-azure","siteSpaceId":"sitesp_GLTxV","description":"The Microsoft Azure cloud, and how to attack certain parts of it","breadcrumbs":[{"label":"Cloud","emoji":"2601"}]},{"id":"9ahp9OFwUqEqvXwUzpND","title":"Business Logic Errors","pathname":"/other/business-logic-errors","siteSpaceId":"sitesp_GLTxV","description":"Finding flaws of the logic in an application. Instead of complex injections, break the regular flow or perform unexpected actions","breadcrumbs":[{"label":"Other","emoji":"2754"}]},{"id":"uoZGOwaMDjLfkH6yXLtB","title":"Password Managers","pathname":"/other/password-managers","siteSpaceId":"sitesp_GLTxV","description":"Passwords stored in a central vault, which may have some weaknesses depending on your target","breadcrumbs":[{"label":"Other","emoji":"2754"}]},{"id":"PPNZPGa7SJKRXOWwM2IL","title":"ANSI Escape Codes","pathname":"/other/ansi-escape-codes","siteSpaceId":"sitesp_GLTxV","description":"Use special escape codes in the terminal to set colors, change the screen or perform other actions","breadcrumbs":[{"label":"Other","emoji":"2754"}]},{"id":"3mqJnNeMRLiIek9pJUPz","title":"WSL Tips","pathname":"/other/wsl-tips","siteSpaceId":"sitesp_GLTxV","description":"Using Windows Subsystem Linux as your attacker environment","breadcrumbs":[{"label":"Other","emoji":"2754"}]}]}